[Info-vax] VMS Privileges Versus Linux Capabilities

David Froble davef at tsoft-inc.com
Wed Jun 22 20:11:08 EDT 2016 

Paul Sture wrote:
> On 2016-06-22, David Froble <davef at tsoft-inc.com> wrote:
>> mcleanjoh at gmail.com wrote:
>>> On Friday, June 17, 2016 at 10:06:43 AM UTC+10, Stephen Hoffman wrote:
>>>
>>>>  UWSS and drivers and execlets and ACPs, and images 
>>>> installed with any ALL-class privilege — and other such constructs — 
>>>> are already or can become fully privileged, with complete system 
>>>> access.
>>> I thought ALL privileges didn't automatically include SECURITY
>>> privilege, or does it in some contexts?
>>>
> 
> That does ring a faint bell.  What version of VMS?
>  
>> Hmmm ....
>>
>> AS800> set proc/priv=all
>> AS800> sho proc/priv
>>
>> 22-JUN-2016 16:37:17.79   User: DFE              Process ID:   0000012F
>>                            Node: AS800            Process name: "DFE"
>>
>> Authorized privileges:
>>   NETMBX       SETPRV       SYSPRV       TMPMBX
>>
>> Process privileges:
>>   ACNT                 may suppress accounting messages
>>   ALLSPOOL             may allocate spooled device
>>   ALTPRI               may set any priority value
>>   AUDIT                may direct audit to system security audit log
>>   BUGCHK               may make bug check log entries
>>   BYPASS               may bypass all object access controls
>>   CMEXEC               may change mode to exec
>>   CMKRNL               may change mode to kernel
>>   DIAGNOSE             may diagnose devices
>>   DOWNGRADE            may downgrade object secrecy
>>   EXQUOTA              may exceed disk quota
>>   GROUP                may affect other processes in same group
>>   GRPNAM               may insert in group logical name table
>>   GRPPRV               may access group objects via system protection
>>   IMPERSONATE          may impersonate another user
>>   IMPORT               may set classification for unlabeled object
>>   LOG_IO               may do logical i/o
>>   MOUNT                may execute mount acp function
>>   NETMBX               may create network device
>>   OPER                 may perform operator functions
>>   PFNMAP               may map to specific physical pages
>>   PHY_IO               may do physical i/o
>>   PRMCEB               may create permanent common event clusters
>>   PRMGBL               may create permanent global sections
>>   PRMMBX               may create permanent mailbox
>>   PSWAPM               may change process swap mode
>>   READALL              may read anything as the owner
>>   SECURITY             may perform security administration functions
>>   SETPRV               may set any privilege bit
>>   SHARE                may assign channels to non-shared devices
>>   SHMEM                may create/delete objects in shared memory
>>   SYSGBL               may create system wide global sections
>>   SYSLCK               may lock system wide resources
>>   SYSNAM               may insert in system logical name table
>>   SYSPRV               may access objects via system protection
>>   TMPMBX               may create temporary mailbox
>>   UPGRADE              may upgrade object integrity
>>   VOLPRO               may override volume protection
>>   WORLD                may affect other processes in the world
>>
>> Process rights:
>>   DFE                               resource
>>   INTERACTIVE
>>   REMOTE
>>
>> System rights:
>>   SYS$NODE_AS800
>>
>> Soft CPU Affinity: off
>>
>> Yep, there it is, right after READALL and before SETPRV ....
> 
> Same behaviour for SECURITY on VAX V7.3-1.
> 
> SETPRV is a special one though.  It doesn't actually go away
> if you disable it.  Note for the following user SETPRV is enabled
> in the default privileges, but not in the authorized ones.
> 
> UAF> show fred
> 
> ...
> 
> Authorized Privileges: 
>   ALTPRI    CMKRNL    IMPERSONATGRPNAM    NETMBX    OPER      SYSNAM    SYSPRV
>   TMPMBX    VOLPRO    WORLD
> Default Privileges: 
>   ALTPRI    CMKRNL    IMPERSONATGRPNAM    NETMBX    OPER      SETPRV    SYSNAM
>   SYSPRV    TMPMBX    VOLPRO    WORLD
> 
> And it doesn't show up in the authorized privileges, it is in the current
> ones:
> 
> $ sh proc/priv
> 
> 22-JUN-2016 22:56:37.47   User: FRED             Process ID:   00000215
>                           Node: SPEEDY           Process name: "FRED"
>  
> Authorized privileges:
>  ALTPRI    CMKRNL    IMPERSONATGRPNAM    NETMBX    OPER      SYSNAM    SYSPRV
>  TMPMBX    VOLPRO    WORLD
>  
> Process privileges:
>  ALTPRI               may set any priority value
>  CMKRNL               may change mode to kernel
>  IMPERSONATE          may impersonate another user
>  GRPNAM               may insert in group logical name table
>  NETMBX               may create network device
>  OPER                 may perform operator functions
>  SETPRV               may set any privilege bit
>  SYSNAM               may insert in system logical name table
>  SYSPRV               may access objects via system protection
>  TMPMBX               may create temporary mailbox
>  VOLPRO               may override volume protection
>  WORLD                may affect other processes in the world
> 
> And yes, you can use it in that state.
> 
> 
> 

I don't think the default privs ever go away.  Could be wrong.  Too lazy to check.

More information about the Info-vax mailing list